DoS-Deflate blocks numbers not IP addresses

Posted on August 5, 2008
Filed Under Denial of Service Attacks, Server Security, Web Hosting | Leave a Comment

We’ve seen a large number of problems with the impementation of the highly acclaimed (D)DoS-Deflate script which on occasions reads the netstat command incorrectly and subsequently blocks a single number instead of the IP address which exceeds the number of connections into the server on which it is installed. Please see http://deflate.medialayer.com/ to obtain the script and installation instructions.

This is purely down to the netstat command that DOS-Deflate uses, it does not account for some elements of the strings returned, particularly when the string ‘::ffff:’ that is added to http (port 80) connections.

To overcome this error a rewrite of the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion). Line 117 reads…

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST

NOTE: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted!

We use the sed command to replace the ‘::ffff:’ with nothing (an empty string), thus removing it.

A slight improvement to a widely used and highly acclaimed script :-)

Recently


Categories


Archives

website promotion